Building Trust and Bridging the Gap in OT and IT Cybersecurity

Episode 60 June 02, 2025 01:00:38
Building Trust and Bridging the Gap in OT and IT Cybersecurity
PrOTect It All
Building Trust and Bridging the Gap in OT and IT Cybersecurity

Jun 02 2025 | 01:00:38

/

Hosted By

Aaron Crow

Show Notes

In this episode, host Aaron Crow sits down with Dean Parsons, one of the most recognized names in the OT and industrial control systems (ICS) security world, for a candid and insightful conversation.

 

Join Aaron and Dean as they explore what it truly takes to bridge the worlds of IT and OT. Drawing from decades of industry experience, their discussion covers everything from building trust across teams, to the superpower of understanding both operational technology and cybersecurity. Expect real-world stories, practical advice on breaking into OT cybersecurity, and memorable lessons from the plant floor to the boardroom.

 

They also break down what makes OT security fundamentally different from traditional IT approaches, why risk-based strategies are essential, and how building relationships, sometimes over donuts and coffee—can be just as important as deploying firewalls and patching systems. Whether you’re new to ICS and OT security, or a seasoned defender looking for fresh perspective, this episode brings actionable tips, honest assessments, and inspiration to help you better protect what matters most.

 

So grab your hard hat (and maybe a box of donuts!), and get ready for a masterclass on collaboration, building skills, and why trust is the real currency in the fight to secure our critical infrastructure.

 

Key Moments: 

 

05:32 Listening Over Speaking in Legacy Spaces

07:01 IT Security Teamwork and Trust

11:21 Cost-Efficient ICS Security Solutions

15:42 Converging Skill Sets in IT Security

17:36 OT vs IT: Different Risks

22:28 Prioritizing Post-Assessment Actions

23:20 Prioritize SANS ICS Critical Controls

29:31 Engineering Perspective on Critical Assets

30:47 Detecting Misuse of Control Systems

35:52 Collaborative Incident Response Dynamics

39:03 Remote Hydroelectric Plant Journey

40:45 Building Trust with Baked Goods

44:55 "Safety Crucial in Facility Disruptions"

48:50 ICS Security: Closing Safety Gaps

53:37 Enhancing ICS Security Controls

57:18 "ICS Summit and LinkedIn Activities"

 

About the guest : 


Dean is the CEO and Principal Consultant of ICS Defense Force and brings over 20 years of technical and management experience to the classroom. He has worked in both Information Technology and Industrial Control System (ICS) Cyber Defense in critical infrastructure sectors such as telecommunications, electric generation, transmission, distribution, and oil & gas refineries, storage, and distribution, and water management. Dean is an ambassador for defending industrial systems and an advocate for the safety, reliability, and cyber protection of critical infrastructure. His mission as an instructor is to empower each of his students, and he earnestly preaches that “Defense is Do-able!” 

 

Over the course of his career, Dean’s accomplishments include establishing entire ICS security programs for critical infrastructure sectors, successfully conducting industrial-grade incident response and tabletops, ICS digital forensics, and ICS/OT Cybersecurity assessments across multiple sectors. As a SANS Principal Instructor, Dean teaches ICS515: ICS Visibility, Detection, and Response, is a co-author of the SANS Course ICS418: ICS Security Essentials for Managers and an author of SANS ICS Engineer Technical Awareness Training. Dean is a member of the SANS GIAC Advisory Board and holds many cybersecurity professional certifications including the GICSP, GRID, GSLC, and GCIA, as well as the CISSP®, and holds a BS in computer science. When not in the field, Dean spends tine chasing icebergs off the coast of Newfoundland on a jetski, or writing electric 80s inspired electronic music in this band Arcade Knights.

 

Resources Mentioned: 

5 ICS Cybersecurity Critical Controls: https://www.sans.org/white-papers/five-ics-cybersecurity-critical-controls/

SANS ICS Cybersecurity Summit: https://www.sans.org/cyber-security-training-events/ics-security-summit-2025/



How to connect Dean: 

https://www.linkedin.com/in/dean-parsons-cybersecurity/

https://www.sans.org/profiles/dean-parsons/

Dean’s Book:

https://www.amazon.com/ICS-Cybersecurity-Field-Manual-EXCLUSIVE/dp/B0CGG6GMHW/

 

Connect With Aaron Crow:

 

Learn more about PrOTect IT All:

 

To be a guest or suggest a guest/episode, please email us at [email protected]

 

Please leave us a review on Apple/Spotify Podcasts:

Apple   - https://podcasts.apple.com/us/podcast/protect-it-all/id1727211124

Spotify - https://open.spotify.com/show/1Vvi0euj3rE8xObK0yvYi4

View Full Transcript

Episode Transcript

Aaron Crow (00:01.338) Thank you for joining me on Protect It All podcast today. Anybody that's been in OT cybersecurity, I'm sure that you know my guests today. If not, you should. So Dean, why don't you introduce yourself? Thank you for taking time and joining me. It's been too long, but yeah, introduce yourself, tell us who you are and a little bit about your background. Dean Parsons (00:19.438) Absolutely. Thank you so much. I'm really glad to be on the podcast and we've known each other for a while in the industry. Just a little bit of background on myself. I was that kid hacking systems back in the old days when I was in high school, grew up computer science degree, cybersecurity degree, did a lot of time and work and effort on IT starting out in IT security for the first 11 years of my career. So real quick, telecommunications, incident response and that's hiring teams, policies, all those kinds of things. I've never gotten away from the tactical, technical aspect of incident response. So for the last 12 years though, so 22 plus years now I've been in cybersecurity, the last 12 years have been focusing on directly in industrial control environments and OT environments. So CSO at a power facility, generation transmission distribution, and in between that held roles in oil and gas. And now I'm a SENS principal instructor and between my teachers, I'm in the field doing missions and I'm also in the field doing assessments. So. At any given day, Aaron, could be on the plant floor with a hard hat on, talking with engineers and personal protective equipment. And then the next day, tie on, suit on, and talking with the board of directors on getting them to understand what OT and ICS risk is so we can kind of make adjustments. So that's me in nutshell. Aaron Crow (01:31.29) Dude, I absolutely love that. I have a very similar background, but I want to dig into that because so many people always reach out to me and I'm sure you as well. Like, how do I get into cybersecurity? How do I get into OT security? Adding into ICS, all this type of stuff that I think I know for me and I'll let you speak for yourself, but the experiences of seeing both sides of that coin, being able to talk to the plant manager, being able to talk to the IT guy, being able to talk to the CIO and the executives. Dean Parsons (01:41.996) Yeah. Aaron Crow (02:00.836) that skill set and that business acumen or the acumen in all of those different spaces, because I show up differently. I put on my avatar of my plant guy when I have my PPE and my hard hat on. And it's not fake. I'm not pretending. I've worked in outages. I worked out, you know, power plant outages and did control system upgrades and, you know, network segmentations and audits and all that type of stuff. Dean Parsons (02:07.48) Yeah. Aaron Crow (02:22.874) But I also worked in the IT space and I've also been a CTO of a power of a company as well. So I've been in all those spaces. So having that ability is a a is a superpower from my experience. How have you felt in that? Dean Parsons (02:35.566) For sure. There's no question about it. And there's an engineer I want to thank here. He's the person that took me under his wing when I was in IT security a long time ago. And he says, let me show you what the business is. And he brought me to a power facility, right? 5,000 megawatt generation. And it opened my eyes the whole way in the truck on the way there. was like, I'm going to be able to work on this and encrypt the network and do this. And then he let me talk the whole time, And when we got there, it was just like it opened my eyes. And so I guess the takeaway here for me is that having the ability to understand what IT is as a support network is definitely helpful. You got to have it. It's all important. When we got to the facility, it just, I realized that this is the business and in, in 2025 going forward, are we protecting the business rather than just the support networks? Both have to be protected. Both have missions. So It was that engineer that said, with me, put a hard hat on, let's walk around the facility. And as I was there, just kind of feeling the environment, listening to it, walking around and seeing it. I realized then that this is a different thing. And then my ability to relay risk and what risk is and the defenses for the environment started to change immediately. So I always say, like, you know, if you're getting into ICS for the first time, find that engineer that can befriend you, you can befriend them. get into the facility physically and kind of work from there. And then you can quickly understand the lingo. In fact, people say, what's the best way to get in? And that's my story. But also, come to my class and all those kinds of things as well. when you get to a facility, you get the language, the lingo, and you understand rapidly. I've had experiences where I've suggested organizations for people in IT to job shadow engineers for two, three months at a time. And it probably accelerates their maturity, Aaron. probably by years in two or three months of effort. Aaron Crow (04:26.47) 100%. And, you know, one of my mentors told me a long time ago, same, same, I worked in power utility, you know, I was an IT guy, I worked at AT &T and State Farm, you know, all the different IT side. But, you know, as a power, you know, working in power utility, you know, it was the, my dad worked for, he was a controls engineer for 40 something years, right? So that was his background. So I kind of grew up around critical infrastructure and all this stuff before we called it cybersecurity or OT for sure. Right. And so I was in these spaces. Dean Parsons (04:32.334) Yeah. Awesome. Dean Parsons (04:44.379) Awesome, Dean Parsons (04:51.502) Yeah. Aaron Crow (04:54.948) because I was a legacy in this company, people knew me, they knew my dad, and they would open up to me more than they would one of my counterparts. And I learned really quickly, the more that I, my dad told me this, you've probably heard this before, there's a reason God gave you two ears and one mouth. If I listen more than I spoke, because I was like you in that. Dean Parsons (05:13.986) you Yeah. Aaron Crow (05:18.598) truck ride to the plant. I have all these ideas of, we can do this and that, and we can take all the things that I've done and all these large, you know, Fortune 50 companies that I've done these amazing things at. And then I get to this OT space and I realize, you know, I'm the tail trying to wag the dog. The dog is the most important thing is the business. And IT, you know, pushing those policies down would break things, right? And I had to understand why we had to do things differently. It doesn't mean we don't fix things, but Dean Parsons (05:36.238) 100%. Yep. Dean Parsons (05:42.584) Yeah. Aaron Crow (05:48.452) I do things differently in OT and I know I sound like a broken record all the time for the audience that's out there, but you know, OT is different. And I know that one of the things that you focus on is that it doesn't have to be hard just because it's ICS, right? It's just different. Dean Parsons (06:01.878) Yeah. And so I totally agree with you. And there's a couple of things you mentioned I really want to key on. Like for you, for example, you mentioned the trust aspect. Like when you walk into a facility, an engineer, because they're working in a hard hat, they're working in a hard hat and PPE, as you know, for a reason, people get hurt, people can get hurt. And so it's unlikely someone's going to bust in the door to a substation. Boom, I'm here from IT security, going to lock this puppy down and they're going to let you on a keyboard. And in fact, if you are on a keyboard, you might do things that disrupt things and have impacts of safety. So engineers need to, I think IT folks need to earn the trust and earn the respect and rather than be forceful. And I think you're right about the tail on the dog. And I think we all heard about that before. So yeah. I think from my perspective, 22 years in cyber defense, 10 or so years in IT security. And I've converged teams as a CISO. I've separated teams in some organizations as well by necessity. And I think the biggest thing is when you have the teams working together, you have a full understanding of what an attacker can do. I think that's the biggest piece. So yeah, there's a lot of value, I think, in convergence. And yeah, I mean. I respond to incidents as well. so having the engineer being able to do something on a digital device that's not a Windows operating system, you need that. You also need to have an understanding of the IT kind of cybersecurity side as well. So my point is this, in 22 years experience in cyber defense, I definitely think it is easier to do ICS and OT cyber defense. there's a number of reasons why, and I don't want to get too far into that, there's... Aaron Crow (07:39.77) Hot take there, guys, hot take. Dean Parsons (07:41.526) Yeah, ICS is easier than IT security. So my hat goes off to folks in IT security. I think they have a harder job because they have to manage more connections going to the big bad internet for legitimate purposes in many cases. There's also more users on the IT support networks that you have to track and understand could they unknowingly invite threats in through email, et cetera, et cetera. Inside the control system environment, we see sub 5 % of the employees in the organization on that network, which means inherently there's less possibility or potential for impacts. There's more vulnerabilities, I say, in ICS. But the potential for the adversaries to get there and have, I guess, impact without us knowing, yeah, IT is a harder job. So that's definitely my approach. And that's what I've seen. Aaron Crow (08:33.094) I agree and it's not the thing that you see at, know, SANS, not even SANS, but you know, these conferences where sales vendors are going out and saying, hey, you got to buy my thing because you know, the FUD, right? You know, the end of the world's coming, bad guys are coming. And all those things are true, but to your point, right? You know, we don't have, I'm working off a laptop and I've got, you know, an iPhone and an iPad and all these things. We've got, in a corporate world, we've got all these transient devices. I'm installing applications. Dean Parsons (08:46.22) Yeah, yeah. Yeah. Dean Parsons (08:56.098) Mm-hmm. Aaron Crow (09:01.722) You know, I need admin on my box. I've got, you know, I'm going in chat GPT. I've got all these different things that we have problems with in the IT world. And in the OT world, we've got a lot of vulnerabilities to your point. I've got older devices, I'm not patching, I'm not updating those things as often, but it's that Sun Tzu art of war, right? It's, you know, use my strengths as weaknesses and my weaknesses as strengths. Things don't change in an OT space very often. Maybe once a year, I'm not updating things, I'm not patching things, I'm not installing new applications. I'm not bringing, I'm not taking my device out of the power plant and going to Starbucks with it, right? Dean Parsons (09:34.734) Right, right. Yeah. And so you bring up a great point about patching because, and I want to just be clear here, right? Like we need to continue to patch industrial control systems. I'm not saying don't patch at all. I want to see tag lines like Dean says don't pack, like not at all. But what I am saying is that when I do incident response, a lot of the time the adversary is not just finding a vulnerability, creating an exploit, pre-positioning the exploit, exploiting something and then escalation of privileges. In many cases, they unfortunately don't need. Adversaries don't necessarily need a vulnerability or to write an exploit. They can use the control system against themselves. So, I mean, we're going on 10, 11 years now of adversaries living off the land using the HMIs against the control system, abusing OPC, DMP3, Modbus, TCP, et cetera, against the control system. So patching is a touchy subject. And every time I talk about it, whether it's in a boardroom or whether it's in class, it's usually a very heated. discussion and healthy discussion, Aaron. It's combination. So patching needs to happen. My suggestion is the best is to align when there's engineering, maintenance windows, great time to patch, right? Great, great time to start patching. But the adversaries continue to live off the land. And that's what concerns me, I think. And I think that I've had students walk away from my class with near no money. Like they'd go back to their organization and to do like a bake sale to get like a really great laptop and a terabyte hard drive. And they would then with engineering approval, walk into facility, set up a network monitoring and look at the network traffic. And then you're starting to understand what's there, what could be taken advantage of. So I would agree that ICS security for sure is easier and it doesn't necessarily have to cost millions of dollars if you focus first on the right place. and I've, with that scenario, I've just mentioned with the laptop and the hard drive, I've seen small water utilities specifically who have very little budget in many cases. And the same person, Erin, who is the engineer, her program is the PLC is at the facilities and understands how much sodium hydroxide needs to go into the facility versus applying patches. They're the same people in some cases that mow the lawn at the water site. And so from my perspective, how do we get them to do something that is effective for their environment that gives them visibility? And that's where that solution comes in. It'll scale probably across five, 10, 15 sites. That solution won't scale across 200 sites. Dean Parsons (11:59.286) which is where your professional tools come and play, right? So, yeah. Aaron Crow (12:03.142) Well, and that multi-skilled, and that's a value, it happens across OT. We see this a lot. And, you when I built out a team at, you know, a power company, I built a multi-skilled team. I brought people from IT, you know, and I taught them OT, but I got, I brought guys that were, you know, operators and, you know, control system folks that had been in the company for 30, 40 years and had done nothing but the operation side of things. And I brought them in, they had no cyber experience. no IT technology other than what they were doing. They had that experience, but they didn't call it that. They were programming PLCs and they were configuring networks, but they didn't know why they were doing it or how they were doing it. They were just doing whatever they, you know, the vendor told them to do. But when you put those two parties together, you build this new thing, right? And, and you know, the experiences that come out of that and the, the, the, the trust you, we, we hit on that before and I want to double click on that, that trust we, we do bit, we do Dean Parsons (12:41.646) Sure. Aaron Crow (12:58.79) We do business at the speed of trust. And what that means is the faster that I can make you trust me, the more likely you are to listen to my ideas, right? If you don't trust me. Yeah, if you don't trust me, I could have the best idea in the world, but you're never going to try it you don't trust me. So why would you trust my idea? Dean Parsons (13:01.774) Yeah, yeah, 100 % agree. Dean Parsons (13:08.328) the more likely someone can help. Yeah. Yeah. Dean Parsons (13:18.277) 100%. And I find it strange. And I will say that in immature, maturing organizations, maybe IT is tasked with, okay, we got to worry about the control system now. There's threats out there. So go do good things on the ICS. And with great passion, I love a lot of folks from IT, great passion. They've been doing this for decades. It's awesome. Great skills. And when they go and they're tasked and told to do ICS security, and they try to push it, then it's going to cause friction, right? And again, it's the tail and the dog thing. But what I find is when engineers really kind of show up to say, cool, well, let's go back to what you just mentioned a moment ago. You mentioned about you having an understanding and hiring people, maybe from IT and ICS. I get asked a lot in class on assessments. hiring managers, like at the C-suite level, they're out now to hire people for the control system, cyber project, and cyber program. And the question I get is, should they hire from IT security or should they hire from engineering and then have that person be the ICS security program leader or manager? And it's a tough question to answer. I do have my opinion on that. And if you press me for it, I'll give it to you. But what I will say is that when I hire people from IT security, they know the cyber aspect. They know the threats that are out there, which is awesome. need that. You need a piece of that. So there's a blend here. But when you hire from... Okay. And the IT folks don't generally understand or get or prioritize safety. Engineers got that down. Like they're good to go. Then you'd just have to augment the engineers with, by the way, did you know that it's not only us engineers that can take advantage of, even know what function codes are in Modbus TCP. The adversaries also know that and cyber can cause physical damage. So there's this kind of Delta. And I, I think the Delta is smaller when you're training engineers, cause they know the systems, how they interact, how they can be abused. Aaron Crow (14:47.046) Correct. Yep. Aaron Crow (15:00.774) All right. Yep. Dean Parsons (15:11.704) but we still do need that IT security element as well. And so here's my ploy. I definitely think from an adversarial detection perspective, it makes a ton of sense to converge the teams, at least the tactical visibility. So I'm not gonna suggest, let's talk about convergence for 25 minutes. I look at it from the perspective of convergences, in my opinion, and we can have a discussion, like do it works, is really two threads of a conversation. One I think is totally, totally dead, which is the convergence of technology because we converge technology two decades ago. I think the conversation today is the convergence of the skill sets, not the teams and not the networks. don't, yeah, don't, yeah. Cause so I think that's a big piece, but yeah, I mean, I think that, I think hiring from IT security and engineering to be a leader or to be a tactical hands on the ground, on the ground person, there's challenges in both. But we need it. I think we need a combination of both of those skill sets. Aaron Crow (16:14.468) Yeah, you know, I was at a conference. don't remember which one I go to so many, but I had a guy come by. I was in the ICS village and, volunteering there and having conversations. And one of the guys came up to me, Guy, gal, I don't remember. And if it was you happy for you to reach out and continue the conversation. But they were like, well, there, there is no difference between OT and I. And I was like, interesting. What do you, can you elaborate? So, and their entire idea behind it was kind of what you just double clicked on is. Dean Parsons (16:20.419) Yeah. Aaron Crow (16:43.298) the technology has converged. It's the same switches, it's the same firewalls, it's the same VMware. And I'm like, okay, I don't disagree with the technology stack. We're using the same components on both sides. The T is the same in the I and the O, or very similar, right? But the use case and the potential risk are different and the attack vectors are different and all of those other things are. Dean Parsons (17:01.677) Yeah. Aaron Crow (17:09.03) the playbooks and all the things like, know, and my analogy that I gave them or the conversation I had is if a SOC analyst sees a Windows XP device show up in an enterprise environment, they boot it off the network and they isolate it. They don't let it on. You can't do that in OT because that XP machine may be controlling my Turbine control system, right? So I just shut down the system. Dean Parsons (17:30.245) 100%. Yeah, 100%. The reaction to, it's an old box, shut it down. I definitely think there needs to be more focus on not just a blanket statement. It needs to be patched. It's outdated. Patch, patch, patch, patch. It needs to be a nuanced conversation of, is the adversary going to even get there? What's the probability of an adversary getting there? OK, great. It has a CVSS score of 10. OK, so is it isolated? Is it not? I know what you're saying, but what do you do for a risk? perspective. And I also think that misconception, right? People will walk into an oil and gas facility, a power system, and see a bunch of Windows boxes and Linux boxes. And people sitting in comfortable chairs, engineers, smart people, monitoring the control system with these, I'll say, converged technology operating systems. Awesome. But when you get to the plant floor, it doesn't generally look like that. So my point I'm trying to make is this. When I do assessments, I'm hired a lot of time with my company, ICS Defense Force. to go in and do asset inventorying. Of course there's Windows, there's Linux. I've even seen old, like we're gonna get that, that's fine. Yeah, yeah, exactly. Old, like the Solaris pizza boxes, like, I mean the whole thing. But when you get to the plant floor though, as we know, Aaron, it's okay, well where's the window boxes? Well, that accounts for maybe 20 % of the upper part of your Purdue level in your organization. And now there's programmable logic controllers, there's meters, protection control relays, there's RTUs. Aaron Crow (18:33.158) sun, micro systems, you name it. Yep. Yep. Dean Parsons (18:55.61) None of those are traditional operating systems. None of those can take an antivirus agent. So then it's not just T. It's T that doesn't function, have the same mission, or you can't protect it the same. So in my opinion, when people say it's the same, OK, that's great. I think there's some learning you need to do. Yeah, there's 70 % of those assets are not what you'll see in an IT environment. And if you do, let's have a conversation on the break, right? Like, if you see an email server in the IC, like so. Aaron Crow (19:20.326) Wait. That's a problem. Dean Parsons (19:24.846) I think the positive note, is that there's people interested in their asking the question. So IT people who have the great background and the great knowledge for decades, defeating threats and finding them and kicking them out of the network and writing great scene rules, which is awesome. I think they're asking the right questions. I think they're starting to know that, OK, well, maybe they're maybe 20 or 30 % the same environments. But where's the 70 % that's different? And that's the level up piece. That's the opportunity, right? And that's where, again, I'll say like, Go talk with an engineer. Take an engineer out for beer and pizza or brisket, bourbon, barbecue, whatever, cookies and donuts and coffee, and then have a conversation where you're listening to them. Back to your point, right? Listen to what they're saying, how they operate the process. And I think for a long time, security folks are just understanding what the outcome is if there's a compromise. So if you ask an engineer what's a bad day, it's a different conversation than an IT. Right. And ransomware is the hot topic, which makes sense. It's a huge impact to any organization. And I think if you ask on the IT side, what happens if we get ransomware today, the outcome is different than on the ICS because in some cases, and I've had to live this, we've had to disconnect the control system and the traditional operating systems because they're ransomed. But guess what? We've continued to produce power. We can need to deliver power safely. Right. So. It's a different playbook, I think you're right. And I think that understanding that difference, 70 % difference maybe, between IT and ICS, I think that's critical. It's more than critical, right? It's absolutely essential. Aaron Crow (21:03.654) How do you feel as far as overwhelming? And what I mean by this is, you talked about the wastewater company that has no budget. Maybe they don't have an OT specific person. They've got a multi-skilled person, like you said, that's the engineer. He's probably mowing the yard, like he's keeping the lights on, he's doing maintenance, know, lockout, tag outs and all these different things that he's doing during outages and everything else. How... How many organizations are just overwhelmed and don't know where to start? They've got that, they know they want, they need things. They know they don't have an accurate asset inventory. They know they have some vulnerabilities. They've been fortunate that nothing has impacted them that they are aware of yet, but they are concerned and they're wanting to do something, but they don't know where to start. Dean Parsons (21:48.536) For sure. mean, there's definitely some advice here I want to jump in on. And this is what I feel I've done in the community, what I've done globally in many cases, whether it's water or where they have like really little budget, where it's oil and gas, where they have a ton of budget and 15 major refineries where they produce 20 plus percent of the oil for the world. usually organizations, they go and do an assessment, like understand what the risk is right now and then they'll decide, which is a great place to start. But then the challenge is, okay, here's your assessment, they get an assessment back, Aaron, and it says, we have 115 things you gotta go deal with right now. And it's good to have that roadmap, right? Like I get it, but then I get a lot of questions like, hey, we just did an assessment, can you help us out because we have 115 plus things, which ones of those should we do in the next six months, the next eight months, the next two years? Because 100 things is a lot, how do we get to it, and which one do we prioritize? And so, this is where I'm hugely behind and supportive of the SAN's five ICS, Cyber Security Critical Controls. And these are like, if they're not created based on, they're nice to have. These are threat driven based on the risks we see across multiple sectors. If they're not in place today, that any ICS facility is at high risk. So when someone is feeling, okay, I'm responsible for ICS security today in a program. let's go get an assessment done. I would really key in on those five things that should be included. How are you doing those top five? And those top five are ICS incident response, dedicated incident response plan and related exercise to exercise that plan with the scenario that is realistic for the industrial control system, right? And I can go deep into that one and that, I do them on a regular basis, but the scenario is key there. that's, that's control one. Control two is Aaron Crow (23:29.636) Right? Dean Parsons (23:38.154) is a defensible ICS network architecture. we talk, I you mentioned earlier about segmenting out the environments and things. And so having that network that's segmented properly with firewalls, with actual real ACLs will help you and not just VLAN, right? And in a lot of cases, those firewalls, they really should be ICS aware, understand the protocols. So that's the second control. Aaron Crow (23:51.396) Yep, not just VLANs. Dean Parsons (24:04.044) And what's beautiful about these top five controls, Aaron, is that as you complete them, they actually provide value to the next one and the next one. So control one, ICS, it's response plan and exercise. Second one is defensible architecture. Third one is the big one, which is ICS network visibility. Packet analysis, getting full packet captures of ICS information from your manage switches, the tap, et cetera, at low levels in the Purdue. And then, of course, fourth is secure mode access. Let's face it, we're not going back. We're connected, period. There's very little air gap. If there's any air gap, it should be on a control system that is your safety instrumented systems. And then the fifth control, and this one is a hot topic as well, is risk-based patching, so risk-based vulnerability matching. So those are the five. And so when an organization says, do we start, if they have an assessment done, they got a lot of footwork done, that's fantastic. Usually I come in and say, let's look at the top five and here's why. And then they kind of say, okay, well, you know what? In the next six months, we got two controls, let's focus on the next one. And that is a great return of investment for them to protect their industrial environment. Huge. It's achievable. Yeah. Aaron Crow (25:15.11) It is right. And it's not sexy. It's not, you know, all the fancy things and bells and whistles that you think of necessarily when you're, when you're going, especially when you go to a conference, you got to RSA and you see all the AI and all the bots and all the things. And I'm not saying those things are not good things to have, but most of those things only work if you already have a fairly mature environment, right? Dean Parsons (25:20.494) you Dean Parsons (25:27.852) Yeah, of course. Aaron Crow (25:40.122) You don't want to bolt on those other things. And you don't want to be thinking about AI if you don't have your network segmented, if you don't have firewalls, right? It's like, you you're putting a paint job on a car that doesn't have an engine. Dean Parsons (25:50.35) 100 % agree. In fact, a recent little blog series about this, I've got another one coming up soon, and it's on AI and how it's actually used proactively for engineering staff. Understand if that turbine or that turbine is going to malfunction, and we can try to predict when it could happen so we can get ahead of it. That's safety. That's resilience. That makes sense. It's data analysis. So it wouldn't make sense, I would agree, to put AI in place with its own internal, like maybe even segmented off server to do AI crunching and processing. Aaron Crow (26:08.07) Sure. Yep. Dean Parsons (26:20.15) If you don't have network visibility or connection play, doesn't make sense when you have a team that can look at the network with engineering and security background. can say that that packet stream right there that's sending, you know, maybe it's DMP three warm restarts to my controllers. That's that's strange. Like when you look into that, when you have that fully flushed out, yeah, man, look at, look at AI. I think that can accelerate things. I still wouldn't recommend I look at your thoughts on this, but I wouldn't recommend. AI to make decisions and actions inside of a control system. And this is where IT has done great things for a very long time. And we can learn a lot from how IT has adapted technologies. Cloud is another one, right? So if you're out there and you're looking for, where does AI fit in? There's a blog series out there. Take a look at it for consideration. But talk with IT. How have they used it in the past? What lessons have they learned? And where does it make sense, if at all, to put in the ICS? There is use cases to use it for sure. I would agree that it's a crawl, walk, run kind of thing. Aaron Crow (27:24.132) Well, in most places I go to with, with walking to do an assessment or whatever, right? Is, is they don't have an asset inventory, at least not an accurate one, not an updated one. They don't have an accurate network diagram. They don't have an understanding of where their assets are. Even if they have an asset inventory, you know, and the other, the other conversation I always bring up is, know, I've got two PLCs and they're both running the same version of firmware, right? One's controlling the ice machine in the break room and the other one's controlling the turbine. Dean Parsons (27:31.374) Yeah, that's right. Dean Parsons (27:51.566) Ha Aaron Crow (27:52.602) They both have the same vulnerabilities, but they're not both the same risk to my organization. And that's the other thing that isn't always caught in an asset inventory is what does this device do and how impactful is it to my business process, which is the, the, the import, the most important thing that you can know about your asset inventory is does it fricking matter if it goes offline? Do I care? Dean Parsons (27:56.875) Right. Dean Parsons (28:09.112) Yeah. So I think you're right. I would agree. It's not sexy. The foundational stuff is not sexy. It's a requirement. It's necessity. And every time we're doing an assessment or even teaching on how to do an assessment, there's four methodologies to identify assets. And we say, here's the basic things you really need to have for every asset you have that's a control device. And I always ask the class or ask the team, what else would you add to this list? And it doesn't take long. And the engineer will pipe up immediately and say, because we have the basic things that aren't like the IP address, what's the protocol it's using, how does it talk, all of those things, how does it interact with devices, what do you expect from all that stuff. And the engineer is the first one in the room that says, wait a second, we need to capture what happens if that's not available, right? What's the criticality of that device? And that comes immediately. It reminds me of a story and folks who are out there listening to this learn from my mistakes here. So I went into a facility and I said, yeah, like I'm here to do asset. This was way early in my career. And I asked the question, I'm here to do, I didn't ask the question. I kind of told this and I'm here to do an asset inventory and I'm going to go and find out all the critical assets. And this is way back in my career. What I learned was I didn't ask this question. said, so from an engineering perspective, what are the critical assets? And the answers that you might get are not what you'd expect. Usually someone's going to say, the Active Directory server, that's definitely critical. And you're going to hear someone say, do we have a DNS? Because that's critical, too. What about the file system? That's critical. But an engineer will always say, like a seasoned engineer will always say, well, we're in a powerful system. So that turbine over there, that's critical. And the system that monitors the bearings and the oil and lubrication for that, that's a critical system. Dean Parsons (29:57.036) and the safety controllers here and the protection controller, really, that's a critical asset. And that's a completely different conversation. So asset inventory, gotta have it. It's not sexy, I agree, it's needed. But what happens if the asset is not even unavailable? What happens if it's misused, right? And this is where we're seeing the adversaries do way more than just, let's get into a control system and write some code and go boop, and maybe it'll work and do bad things. The adversaries we're seeing now for the last nine, 10 years is, How do we abuse the control system against itself? One, it's harder for us to detect these adversaries. Sucks for us, easier for them. But we can detect it. Remember, ICS is easier than IT, I think, still. So how do they abuse it? And then the other thing is that because they're abusing the control system, they have less baggage to bring in to write code for, et cetera. So things like injecting ICS packets or using PowerShell on an engineering workstation to do bad things is is we've seen again and again and again, and that's not gonna stop anytime soon. So patching is important, but understanding how to detect that living off the land stuff, I think is really where we have to be today. And that's where the five critical controls get you. I think it gets you to the point where if you have a person with ICS and a little bit of peppered in their IT knowledge, looking at the network with the understanding of that asset, if that's compromised, that's a bad day. That's downtime, that's blackout, is... it's safe to concerns. think that is how we win at ICS defense today. I really think that's where are. Aaron Crow (31:32.152) No, I 100 % agree. And I also see the risks being different. And that's the thing, Idaho National Labs has the whole cyber informed engineering process, right? And that's the way we need to look at these. We need to have technologists, we need to have cybersecurity, IT type folks in the conversations when they're designing and upgrading and managing the control system. And not because Dean Parsons (31:42.829) Yeah, of course. Aaron Crow (32:00.098) I want my IT guy telling me, you know, engineer how he should design his control system. But more so when he's saying, this is going to be an open protocol or we're to use VLANs to segment these network, they could say, timeout, could we put a firewall there instead of just VLANs and actually segment the network? And we'll make it an application aware. And we're not going to block anything. We're just going to alert. We're going to monitor those things. We're going to send a span. Like those are the types of conversations that you want to be part of. Dean Parsons (32:21.582) Yeah. Aaron Crow (32:27.526) Again, these engineers are super intelligent. They're the smartest people, hardest working dudes and men and women I've ever met and had the pleasure of working with, but they don't know what they don't know. The same thing goes on the other side of that coin. The IT people don't have, and you said this earlier in the podcast, the IT people don't have the operations experience, right? So don't pretend that you know things that you don't. Putting those two things together makes us stronger. The other thing that I always say, and I say it all the time because I want to bang it home, Dean Parsons (32:30.507) yeah. Dean Parsons (32:40.366) Exactly. Dean Parsons (32:46.861) Yeah. Aaron Crow (32:57.72) is that we're on the same team. If you're IT or OT, we're in the same company. We're wearing the same jersey. We're protecting the same thing, the asset, the company. We have the same goal. So we shouldn't be looking at each other as adversaries. We should be looking at each other as teammates and you're the kicker and I'm the quarterback or whatever the analogy you want to use, but we're on the same team. How do we work together to get to the end goal? Dean Parsons (33:22.754) So I did an assessment and I was in the board of directors kind of meeting. I had eight minutes, Aaron, eight minutes to say, this is what I learned in the assessment. Here's what we should do next. Here's why. The eight minutes, I have three slides. Okay, board meeting, tie on three slides, eight minutes, and you're done, dude. Like that's it, that's what you get. And the eight minute conversation, I finished actually at six minutes. So got that, nailed it. But it turned into a 22 minute conversation. And here's why it went that way. So back to your point about like the working together. I did the assessment. right? CEO is there, CFO is there, VP of engineering, CIO, CISO. And the CEO said, hey, great. This is a great report team. Fantastic. You worked with engineering, with IT security, with safety, with physical security. Fantastic. Is there any? And this is where it comes in. He said, is there anything in the report? that you did in the assessment that wasn't part of the scope of the assessment that you want to share with us today that relates around risk. And I knew exactly where he was going. And it comes down to actually I said yes. And respectfully I said that I found there was a lot of tension between the teams and that only slows things down. And with that conversation, this where I to do 22 minute conversation, he went to each one of the members on the C-suite and said, go get your stuff together, go get your stuff together, start working together immediately. and it changed the dynamic in the organization. My point is this, is that when organizations have that infighting, the only people who win are the adversaries. They're just sitting back thinking like, okay, well this target over here, dude, they're in another board meeting today, so now's the time to strike. They're too busy in the board room talking about who does what, what, when, how for months and months on end. Now's the time to slip through. And I think there's a huge risk there with that politics internally being a massive risk. And there's a way to treat that risk, which is... Back to your point, Aaron, like, dude, we're in the same organization. It's a team effort. So back to brisket, bourbon and barbecue, right? And when organizations are working together, I love it, dude, because I do a lot of instant response. So I show up on sites, I get packet analysis, get memory, look at PLC logic, the whole thing and see what has happened. Where's the adversary? How do we get the systems back up or present or prevent further damage while fighting through the attack? Because it's never turn off the ICS. It's always how do you fight through the attack? Dean Parsons (35:37.388) So when I show up, the engineers, to your point, massive, massive knowledge base, and they could look at the HMI or look at the data historian and tell me exactly when something changed. I'm not really sure understanding what changed, but here's the exact second of what changed and here's what we think might have happened. So if an organization is not connected and working together, IT security, if they're doing its response, they're gonna come in and do like Windows analysis, great. but there's 70 % of the control system they also have to do analysis on. So this is where an engineer, if they trust you and they work with you, they're going to go get the packets off the plant floor. They're going to go get the logic from the PLCs. And that's, I think, again, how we win. Like it's not just go get member from the windows box and run analysis on it. It goes beyond that, I think. So yeah, this is me saying like we need to sing like campfire songs and eat s'mores together, right, as teams around the campfire, right? there's more value in that I think than giving the adversary an opportunity. Aaron Crow (36:37.444) Yeah. Well, and you hit on it earlier too. and I want to come back to it, but bribery works. And, and, and what I mean by bribery is if I'm going to a power plant or I'm going to a manufacturing facility or something like that, I'm bringing donuts. Cause usually they're in the middle of nowhere. Like there's not good food options. Nobody's running to, you know, subway or whatever, because it's an hour from town. Right? So when you bring donuts or cookies or high or what like it doesn't cost that much, but you're gaining. You're doing exactly what you think you're building relationships and all you know, another another one of my mentors told me a long time ago. All business is a people business. I don't care for the CEO or the janitor, right? You've gotta I have to sell you on why my idea A that I'm trustworthy B that I'm not going to break something. At a plant or an environment in OT, they want to make sure that when you're here, you're not going to break anything, right? Because they're the ones that are going to have to fix it. Dean Parsons (37:15.778) Yeah. Aaron Crow (37:31.952) They're going to kick you out and then they're going to fix it and they're going to get trouble for you being there and you breaking it. That's ultimately why they don't trust you. And they've probably had that because they've had other people that have come in and broke shit and they had to fix it. Dean Parsons (37:37.39) 100%. Yeah. Dean Parsons (37:46.402) And let's face it, if the most intelligent engineer walks into the IT security department and says, can you just scooch over? I'm just going to change some firewall rules and some email security. You'll never let them sit down at the keyboard, right? So why is it that we see it the other way around and the engineer's like, dude, what? I can totally understand the frustration or confusion that the engineer would have, rightfully so. Aaron Crow (38:00.827) Nope. Dean Parsons (38:12.236) You mentioned coffee, donuts, whatever bribery. It really is a lot of a trust. There's a large power plant that I've done a lot of work in and like 5,000 megawatts. It's huge. it's, mean, with hydroelectric generation, you can't just put it where you want. You have to put it where the water source is, right? So there's a massive, massive dam in the middle of the woods and it's an eight hour drive to get there. There's a town built for the people who work at the plant. It's such a big plant. So this is common in large facilities, remote areas. So I remember you can fly there, takes two hours on a small prop plan or you can drive the eight hours. So I remember when I first went to this facility, I packed up, like I think it was donuts, muffins, the whole thing, like just in the back of the car. And I made the eight hour drive and this was the first time I legit passed more bears than people in cars going the other way. Got there to the facility. And it was like a shoe in like dudes got like baked goods, man. We're in. And it was like this conversation then of like, well, see, here's the thing. When you have them in that position or situation where it's like, it's like you want to befriend them. Here's, here's an offering. It's, but you got to be careful not to abuse that because it's like, yeah, let's have coffee donuts. But if you lead then with coffee notes, right, let's get into me the matter, by the way, I'm here from security. And did you know the good news of you should not click on bad links and like that's you're going to lose them, right? Because that's now IT security. And I learned that early in my career too. Like I started then walking in saying, Hey, have you heard about like the crisis attack or the crash override impacts? Like, did you know that we have those protocols they might be able to abuse too? Like I know crash override abuse 104, but we have DMP three, right? And maybe that can be abused too. And immediately the engineers like, Whoa, dude, like not only did it bring big goods, he knows what DMP three is. He knows what safety is. Aaron Crow (40:05.179) right. Dean Parsons (40:07.052) So I would agree that it's bring baked goods, but it's had that conversation. Like you're in their environment and then if you're talking to their language, you start getting respect quick. And that's hugely helpful because you might be the person going to site with more baked goods later on, but also responsible to do the instant response. And they're not gonna let you touch anything if they don't trust you. Yeah, so I think there's a big piece of it here. While I do tactical, technical training, I teach a leadership class as well. The leadership piece and the, to your point, the people side of it is huge. We should never overlook that. So big piece here, while we're all getting tactically trained and getting pre-positioned tools to acquire meaningful forensics information and rapidly pace through it and triage it, that's great. But if you don't have the ability to go into a plant and say, hey, I'm here to help and they don't trust you, the adversary is gonna win again, right? So yeah, I think on the IT security side, it's like, technology whenever you want it changes whenever you want it on the ICS side is like, let's enable logs, eat cookies, and then let's work together. I think there's a whole thing there. There's a whole thing there. It's easy. Aaron Crow (41:10.64) That's right. That's right, right? But it's it's it sounds so it's just like the technology and the implementation, right? It's not sexy, but it's what it takes, right? You have to build that trust. know, when I had a team and you know, I supported 40 plus power plants across the state of Texas. Texas is a big state. If you haven't been here, seen it on a map, they're not exactly, you know, to your point. It's, you know, six hours away from headquarters to get to that power plant. And I hired a guy and he was from I.T. Dean Parsons (41:20.163) Yeah. Dean Parsons (41:37.463) Right. Aaron Crow (41:41.892) you know, he came from cybersecurity working in the Air Force. And then he was in IT, enterprise security, all that kind of thing. So he had the right credentials. He knew what he was doing, but he only came from an IT side. And we were doing, so I supported all of the control system equipment. So from the firewalls to all of the tech below the boundary firewalls at the facility, which included patching and, know, secure mode access, file transfer, Dean Parsons (41:54.979) Right. Aaron Crow (42:11.77) you know, the Active Directory and kind of everything in that tech stack at those sites. Well, there was there was a particular update or vulnerability that was released for one of the control systems. I don't remember which one didn't really matter. And he took it upon himself thinking he was doing the right thing and went ahead and pushed an update on a system. The problem with that is it was Friday at about three o'clock and he did not call and tell anybody that he was doing it. Dean Parsons (42:38.562) Yeah. Aaron Crow (42:39.12) So he pushed an update to an operator workstation. So think about picture, the control room, an operator sitting in a workstation and all of a sudden their machine reboots. They're running, power plant's running and now they just lost one of their systems. Now they just lost a second system. Now they lost a third system because it's rebooting. And of course, as soon as they figure out what's happening, I get the phone call and they're screaming. Dean Parsons (42:50.658) Yeah. Dean Parsons (43:03.15) sure. Aaron Crow (43:04.454) And it really came down to a policy that we created and said, you know, are you going to go over to somebody's house and just walk in the door and open up their fridge and turn on their TV and, you know, take their, take their car out of their, of their garage without asking first. Like you're going to knock on the door, even if you're best friends, like you still it's their house, right? Take your shoes off, respect the rules and whatever those rules are. my, and so basically I sent him, said, Dean Parsons (43:23.5) Yeah. Yeah, yeah. Aaron Crow (43:32.858) get your ass in the car and go to East Texas because he goes, well, it came back up. I'm like, yeah, but you broke their trust. So you're going to show up there. You're going to apologize in person. You're going to make sure everything's working, make sure they're comfortable. And then when you're done, you can come back home. And from that point on, you're not pushing anything unless A, somebody's physically sitting in that control room or the exception is, is we've gotten a written approval from them with, you know, Dean Parsons (43:47.043) Yeah. Aaron Crow (43:57.542) pre-job brief and the whole nine yards and plant management has signed off on it before we ever do anything remotely. And we're never doing that on Friday at three o'clock. So that's just out of the conversation. Dean Parsons (44:08.558) So that's a really good example of how to get kicked out of a facility, maybe get fired in some places, but also with that, you can cause physical disruption, safety disruption. like, yeah, it's not only rude, it's your, you, that person could have direct influence on safety. it's. Aaron Crow (44:15.119) Yes. Dean Parsons (44:29.646) I told the story like, okay, well, you know, someone's challenging me like, what's unsafe about a facility? So we went to a facility once, I brought my team, new people on the team as well, gun hoed and do good things. And they had good ideas and different implementation requirements. But we got to the facility and we're in hard hats and all kinds of stuff. Things started to change. And then we're at a generating facility and this was a thermal plant and a fire broke out on site. like there's sirens and like we did the on-site safety training. Why do we do that? Because we're physically at risk. So we were trained in 25 minute conversation, like a 25 minute video, knowledge checks, and we had to exercise it that day. And I can tell you the people that came from IT, great people, they learned in that 25 minutes of sirens going off, exiting the building, holding the rail on the right all the way down to get out the exit door. They learned quickly and effectively, we need to take this different approach to ICS. And I think that's, Yeah, I guess what I'm trying to say is get people to site who's responsible for site in any aspect frequently. Get them to site as often as you humanly can. Yeah, lots of value there for sure. Aaron Crow (45:36.134) 100%. To me, it's the whole, the thing that we've missed and it's beyond just cybersecurity, it's beyond just OT. It's the whole apprenticeship model, right? And we see that in electrical work, we see that in plumbers, et cetera. There's a reason why we do that. You can't become a master plumber until you've apprenticed for so long, right? You can't get your license. And I know we keep double tapping on this theme and sometimes these themes just come out of these conversations, but it's a huge impact theme that I think Dean Parsons (45:47.554) Yeah. Dean Parsons (45:53.39) Yeah. Aaron Crow (46:05.786) People really need to understand it. Again, I said it before and I'll say it again, it's a superpower, right? Understanding the risks and really, I put those hard hats on, those are not just for show. Like I wore those in outages, like those are things, when I show up in that space, I'm not pretending, right? It's because I've spent hours in outages. I've worked for a month in 16 hour days, seven days a week, sleeping very little, working odd shifts. Dean Parsons (46:19.651) Yeah. Aaron Crow (46:33.912) all the things to do the control system upgrade, because we had to do it when it had to be done. And usually in a control outage, in an outage, especially at a power plant or something like that, right? I'm not critical path for the outage, right? It's physical replacement of equipment and welders and things like that. So I have to fit in to the outage schedule where I can. So sometimes that may mean I have to come in at three o'clock in the morning on a Saturday, because that's the only time I can do the work that I need to do, right? Because I have to take this certain safety system down that they're using in a lotto, which is lockout, tagout for those that don't know, they have to lotto this space so it can be done safely. So knowing all these things, you can't get that knowledge in a book. Like you can't understand, like it reminds me of Big Bang Theory, know, Sheldon, he learned to swim by reading a book about it, but he's never actually implemented it, right? Like you can't learn to swim by reading a book about swimming. Like you understand the concept, but it's different when you're Dean Parsons (47:22.446) Different thing. Aaron Crow (47:30.45) The people you experience that 25 minute outage or that safety incident, they will forever remember that and why OT is different and why safety is important and why we do pre-job briefs and why we have safety zero culture and why we have challenge coins and stop when unsure and all these. Dean Parsons (47:37.761) for Aaron Crow (47:49.676) safety minded things that happen in these O.T. spaces that I.T. people don't experience every day because they're working in an office with a coffee machine in a break room and a water water cooler and the risks are just different in their environment. They're not having to walk past steam that could cut them in half and they can't even see. And if they don't know what's there, will literally cut them in half and kill. Dean Parsons (48:10.28) I think that from, so I think we totally nailed it home. Getting to site is the safely getting to site and safely leaving site is one of the biggest things that people can really need to do when they get into ICS security. I think for me looking at, I guess maybe the future, what the adversaries are doing from my perspective is they know engineering as well. And so we're behind because IT security, if those are the ones dedicated to ICS security, they're going to level up. Because the adversaries, we've tracked the adversaries and seen them reprogram a controller. We've seen them take over an engineering workstation. We've seen them get remote access to a human machine interface in water, in electric, and abuse it. And not just reboot the box, but abuse it, misuse the system against itself. And so we need to catch up. is from my perspective is what I see. think it's still easier than IT security. And I think the threats that they have out there today of living off the land is not something we can just install antivirus on, which may be only 20 % effective anyways, because we have 70 % of devices or even 80 % that can't take these agents and hope that AB is going to do it. It's not going to do it based on the threats we see and based on the assets that are being targeted at low engineering levels in the Purdue model. So I think moving forward, we will continue to see living off the land. I still think we're going to say, see some exploitation, yes, probably less in some cases, because they don't need exploitation code in many cases. And we've seen them already targeted triconics controllers and safety and tremendous systems and so on. And not picking on the triconics controllers, that could have been any controller that was a target for the adversary, right? Yeah, but I think, again, bringing it back to a positive, actionable outlook here, the five critical controls have those in place, and you drastically reduce your risk. Let me rephrase that. you drastically increase safety to a facility, right? And that's not do 115 things right now. It's in the next six to eight months, if you don't got this in place, you probably should focus on those five things. And then have someone train ICS specifically to understand how the control system operates, how can be abused and kind of go from there. if there was, mean, all five of the critical controls, as we know, Aaron are important. But if there's one that I would focus on that. Dean Parsons (50:23.948) the majority of folks I meet in the field globally are focusing on now. Once they have architecture in place, they go right to get network visibility. If I can get packets on the network, I can see what's happening, which gives you acid inventory information, which gives you passively, safely, vulnerability information, which gives you, I love this one, engineering, troubleshooting, and root cause capabilities. So there's high return of investment on those five controls and they're threat-based. Aaron Crow (50:52.09) And that's the key, think, is tying all of those, whatever I'm trying to do, if you can tie those to an operational ROI, like what do they get from it? Because nobody cares about cybersecurity for cybersecurity sake. They don't, right? A plant manager doesn't give a shit about your cybersecurity firewall or tool or monitoring or anything like that. How is it going to make them more reliable, more available and more safe? Like if you can translate that into those languages, you're going to win a lot of conversations. Dean Parsons (50:59.32) Yeah. Yeah, yeah, yeah. Dean Parsons (51:13.558) Yep. So if we... Dean Parsons (51:18.286) 100%, 100%. The objective shouldn't be how many advanced persistent threats do we find this month. It's how do we understand is the control system functioning as you'd expect? Can we do root cause analysis? I have shamelessly relabeled some of the programs from cyber security to cyber safety to kind of leverage that physical culture, physical safety culture, and be careful not to abuse that. And then you got the engineer's ear. And then if you fill it with don't click on bad links, then you're gonna get kicked out. But if you're like, dude, let's look at the ICS protocols. I know what could happen. Can you help me with this? I want to help you. Security supports safety, I think, and not the other way around. so again, I go back to do this is doable. I love doing what I'm doing. I think there's value in what we do as a community to protect our critical infrastructure, whether it's water facilities, heavy manufacturing, power systems. I think there's huge value in it. And I think we have to do more of it because of the threats. It's not just as fun. It is. It's awesome. It's helpful and useful, but Aaron Crow (51:55.91) 100%. Aaron Crow (52:12.036) Yeah. Sure. Dean Parsons (52:15.234) We're pushed to do something better in this location, in this community, because all the adversaries continue to do. But it's doable. Yeah. Aaron Crow (52:22.138) Yeah. A hundred percent. love it. Yeah. So all that we've said today, what's, what's the next five to 10 years? What's, know, and we may have already hit on some of this, but what's, what's one thing that you see come up over the horizon that you're excited about? Maybe one thing that's a little concerning. Dean Parsons (52:35.618) Yeah. So I think I'm really excited that organizations really are taking on the responsibility to say, this is the business. ICS is the business. Let's face it, like if an organization has an ICS, that's why they're in business. Every other facility and department supports that. And that's great. We need to collaborate, no question. So I think the concern I have is the adversaries more more live off the lens. It's harder to detect what the adversaries are doing. But we can combat that by training individuals who know the engineering environment. That's actually not that hard to do. And I think from my perspective, the five critical controls makes a lot of sense. I'm also, I guess, enlightened and enjoyed by the fact that mature organizations are starting to shift or augment their budgets to look at the controls as they protect it. And I think as well, they're actually getting purpose roles now for ICS and not expecting IT to just automatically be there and do all the stuff on the ICS. They're getting training for IT people to do ICS security. they're getting engineers to step up that ICS security aspect as well. So, but I think in the next five, 10 years, like we've already seen targeted control system attacks on safety environments. I don't want to see death. It's definitely possible. And I'm not trying to sound dramatic with traces as a prime example, we could see death injury, but also physical asset destroyed as a result of a targeted cyber attack or a physical cyber blend, warfare. And I think that's definitely on, it's been on the table for a while. Aaron Crow (54:06.916) Yeah, and I just hope that it doesn't, you like sometimes it takes a bad or something really bad to happen before dramatic or people really take serious, you know, it's the same analogy of, you see something on the news and somebody got robbed or their car got broken into or somebody was stabbed or mugged or whatever, but it was in a neighborhood in a, you know, on the other side of town or in a different city. And yeah, you may read it and you say, that's really, you know, whatever, sad or whatever. But when it happens, to you or maybe your next door, like the next door neighbor gets broken into, it changes your perspective on things. Like, wait, what do I need to do? Cause I'm, that was next door. Like they could have just as easily broke into my house. Cause they, we live on the same street. So when you start seeing those things as how it can impact me and that it's, it's not FUD, it's not, know, you know, it's not just fear. It's not just nation states and all those things are true, but they're, they're, these things are real. These are, these, these risks are real. Dean Parsons (54:38.978) Yeah. Yeah. Dean Parsons (54:44.685) Yeah. Aaron Crow (55:04.71) And we need to remember that by also to your point in earlier is we need to categorize those based on likelihood, risk to the environment, all those things, all those are factors. It's not just a, yeah, you know, I've got a vulnerability that's on this PLC and I need to shut down the power plant to update it. Like, no, that doesn't make sense. Dean Parsons (55:12.718) For sure. Dean Parsons (55:23.683) Yeah, Yeah, we need to be definitely proactive, because reactivity doesn't make sense. Like there'll be loss, Perry, whether it's data or financial or brand or like human life, it will be loss if it's all reactive. Yeah, for sure. So I totally agree with you on that. And I think that. And again, like this is doable. It's not rocket science. It is some people stuff. It's baked goods. It's having that conversation. And I think that there's a necessity. When you just mentioned about like the neighborhood five blocks down is not concerning me. I'm up here. When it comes closer to you, there's more of a concern. That's more of a reactive thing as well. But pipe dream is a piece of malware that exists, which is scalable. So you asked me the question, Aaron, to kind of round up this great conversation. I think that in the next five to 10 years, we're going to see more scalable attacks where pipe dream is a prime example of, well, I can target that neighborhood down there, six, 10 blocks down. But dude, I can do the same with this malware in your house because you have the same components in this homogeneous environment in the control system. So scalable attacks are on the table. No question. Yep. Aaron Crow (56:30.01) Yeah. Yeah. A hundred percent. So, how can people find out more about you? Come see you speak, take your class, all the things. What's the call to action? Dean Parsons (56:38.218) So yeah, I'm on LinkedIn and usually on LinkedIn, I drop a ton of content out there. So cheat sheets, posters, blogs. I do a video series as well, like snippets of like, you asked me a question, I respond, it's called Sands ICS, Sands ICS rapid response. But so LinkedIn, also I teach 515, which is a six day technical class, like diving deep into discovering assets, doing its response, PLC kit on the desk, hack it and defend it the entire week you get to take it home. but I also teach a two day leadership level class, ICS418. Upcoming like soon, like soon, man, like in a couple weeks, we're gonna be in June at the ICS Summit, the 20th anniversary ICS Summit, so I'll be speaking there. hands-on workshop, interactive workshop, teaching there as well. And that's really, from my perspective, and I've been a SANS student for like 19 years now, that summit is like, for me, it's where the community comes together for actions, right? And it's sharing things in person that you probably wouldn't do over Zoom that can help people out and... dissolve challenges, right? So I'll be at the summit. If anybody's getting into ICS security, link out to me at any point, see me at the summit, ask any questions, I'm here to help out. Aaron Crow (57:52.868) Yeah. And that's a great, great piece guys is check in, plug into these places, find ways you can learn from others, right? There's so much knowledge. And this community in my experience has been nothing but opening and willing to, you know, take people in and give them knowledge and share and mentor. Because we, I'm speaking for you right now, but I think from what I know of you and all that you do, We care about the bigger picture, right? I don't care that Aaron is the one solving it. I don't want to be the one that necessarily solves it because I can't solve all the problems. Neither can Dean. We want to make this better. Like rising tides raise all ships. We want to increase all of these environments. And if I can, you know, give you a nugget of experience that I have from a power plant or from a wastewater facility or from a car manufacturing facility because of something that I've seen and experienced, I'm happy to give it to you. And I know you are in almost everyone that I meet in this space. Dean Parsons (58:32.12) Yeah. Aaron Crow (58:49.932) is that way. So ask, reach out, social media, at a conference. Like that's why we do this, why I do this podcast. This is not a revenue thing for me. I do this because I see value in this, getting out in the community and growing the message and the knowledge there so we can protect things that matter. Dean Parsons (59:08.91) Awesome, man. Thanks for having me on. really appreciate it, Aaron. It's great. I think you're passing along the torch just like kind of Mike Asante has passed the torch to us in many ways and other people from that era as well in the ICS community. So thanks for having me on. I appreciate it, Aaron Crow (59:22.53) Absolutely. Thanks for coming. really appreciate the time and I definitely go check out Dean and take his class and see him in all the places. So thanks a lot guys.
Previous Episode
Next Episode

Other Episodes

Episode 10

June 03, 2024 00:56:07
Episode Cover

Tools and Techniques for Better Network Visibility and Vulnerability Management with Kylie McClanahan

In Episode 10 of Protect It All, titled "Tools and Techniques for Better Network Visibility and Vulnerability Management with Kylie McClanahan," host Aaron Crow...

Listen

Episode 49

March 17, 2025 00:59:40
Episode Cover

The Intersection of IT and OT: Highlights from S4 Conference with Jori VanAntwerp

In this episode, Aaron is joined by Jori VanAntwerp live from the s4 conference. Together, they unpack the intricacies of networking at industry events,...

Listen

Episode 62

June 16, 2025 00:54:21
Episode Cover

Inside OT Penetration Testing: Red Teaming, Risks, and Real-World Lessons for Critical Infrastructure with Justin Searle

In this episode, host Aaron Crow sits down with OT security expert Justin Searle, Director of ICS Security at InGuardians, for a deep dive...

Listen